Foundations of DevSecOps

Learn how to build security into your DevOps process, leverage security requirements to plan testing efforts, and integrate practical security tools and techniques across the delivery pipeline.

Description

This course focuses on building security into your DevOps process and leveraging security requirements to guide testing efforts. Participants explore key aspects of security testing, including web security, threat modeling, risk assessment, and multiple security analysis techniques, to understand how these practices integrate effectively into a DevOps pipeline.

If your organization has already moved toward a DevOps way of thinking but security testing is missing from the pipeline, this course is designed to help you transition into a practical DevSecOps approach. The emphasis is on hands-on work with configuring and using security tools, understanding where they fit in the pipeline, and learning how DevSecOps extends DevOps principles with meaningful security practices.

Key takeaways from this class include:

  • Build security into your DevOps process rather than treating it as a late-stage activity
  • Use security requirements to shape testing efforts across the delivery pipeline
  • Understand and apply risk assessment and threat modeling techniques
  • Improve visibility with log management, monitoring, and SIEM capabilities
  • Compare and apply SCA, SAST, DAST, and advanced security testing approaches such as IAST, RASP, and HAST
  • Understand security requirements testing, misuse and abuse cases, and the role of penetration testing
  • Gain hands-on experience configuring and using practical security tools

By the end of this course, participants will better understand how to integrate security into delivery pipelines, select appropriate security techniques for different stages, and strengthen the connection between development, testing, security, and operations.

Who Should Attend

This class is intended for software professionals involved with development, testing, security, and operations. It is most appropriate for practitioners and is not specifically tailored toward management or leadership audiences.

Preparation

Each student should bring a laptop with an SSH or PuTTY client preinstalled. Connection details and credentials will be provided during class. Attendees should verify any required permissions with their IT administrator before the course.

Course Duration and Schedule

Two-Day Format

8:30 AM - 4:30 PM each day with a 1-hour lunch break and morning and afternoon breaks.

Three-Day Format

11:30 AM - 5:00 PM each day with afternoon breaks.

Upcoming Training

There are currently no scheduled classes for this course. If you would like to request one, click here for more information.

Request a Class

Course Outline

Session 1: Foundations

  • DevOps refresher: purpose, goals, Dev vs. Ops, and DevOps principles
  • Security refresher: definition and history of information security, CIA++, and the state of application security
  • DevSecOps overview: understanding the integration of security into DevOps

Session 2: Infrastructure and Visibility

  • Log management: motivation, tools, and hands-on exercise
  • Monitoring: motivation, tools, and hands-on exercise
  • SIEM (Security Information and Event Management): definition, terms, purpose, benefits and drawbacks, and tool types
  • SIEM exercise

Session 3: Risk and Threat Analysis

  • Risk assessment: importance of software security and understanding risk
  • Risk assessment exercise
  • Threat modeling: Microsoft STRIDE and architectural/design reviews
  • Threat modeling exercise

Session 4: Security Testing Techniques

  • Software Composition Analysis (SCA): motivation, tools, and hands-on exercise
  • Static Application Security Testing (SAST): goals, pros and cons, and tools for code analysis
  • Dynamic Application Security Testing (DAST): tool mechanics, goals, and pros and cons for running applications
  • Advanced techniques: IAST, RASP, and HAST, including what they are, how they work, and their pros and cons

Session 5: Requirements and Validation

  • Security requirements testing: functional vs. non-functional requirements and misuse/abuse cases
  • Security requirements exercise
  • Penetration testing: when it should be performed, how it works, and enumeration/footprint analysis
  • Penetration testing exercise

Related Courses

Agile & DevOps Leadership

Lead organizational agility through culture change and enterprise-wide Agile/DevOps transformation, applying principles across teams and...

Agile Engineering

Master the technical engineering practices that make agile teams consistently

Agile Tester

Agile Tester course from Coveros with practical strategies for secure, agile software delivery.

Behavior-Driven Development

Learn how to use behavior-driven development to create shared understanding, improve collaboration, and drive quality software delivery...